Cloud and Virtualization: Surpassing current levels of security

Earlier this month, RSA, The Security Division of EMC released a new RSA Security Brief entitled “Identity and Data Protection in the Cloud: Best Practices for Establishing Environments of Trust.” This Brief is authored by security and virtualization experts from VMware and across EMC and offers guidance and actionable best practices for organizations faced with the challenges of securing identities and data in the cloud.

The brief received a lot good of press coverage in outlets such as SearchSecurity and DarkReading. The brief also reinforces one of the core tenets of EMC’s cloud security strategy: Our strong belief that virtualization and cloud are major disruptors that will lead to new architectures with levels of security that surpass the level of security you can get in traditional IT architectures.

This bold claim has not gone unnoticed and some have publicly voiced their skepticism. Let me take a couple of examples in the areas of desktop and data management that illustrate how virtualization and cloud can solve security problems that are currently unsolved in traditional IT infrastructures.

Better Desktop Security

If you have ever talked to any IT desktop administrators, you know that their worst security nightmare is you, me and all our fellow end-users. We are very difficult to control: we add software to our laptops without asking for permission, we change configurations to improve performance (don’t we know better?) and very often we are missing the latest security patches. To add to our desktop administrator nightmare, we take our laptops home or into hotel rooms, browse the Internet, get our laptop infected and introduce Trojans and other undetectable malware when we connect back to our corporate networks (read Uri Rivner’s conspiracy theory blog if you do not believe me).

To solve that problem, you can either change human behavior or migrate to hosted virtual desktops. Since we only live once, I will focus on the latter.

A hosted virtual desktop environment enabled by platforms such as VMware View separates the corporate desktop from the underlying hardware giving almost real-time control to the desktop administrators on desktop images. Furthermore, end-user data does not leave the data center even when they are used by the end-user and virtualization isolation characteristics ensure that the non-corporate use of the desktop does not interfere with its corporate use, thus greatly reducing the risk posed to corporate assets by infected desktops.

Hosted virtual desktops do not change the end-user behavior but they put full control and visibility of the corporate desktop back in the hands of the IT administrator.

Content-aware Storage

If you are an IT architect with responsibility for ensuring optimal data availability to applications in compliance with the hundreds of policies and regulations that your organization has to obey, you have a tough job and many good reasons to have sleepless nights.

The architecture you oversee certainly relies on a distributed information infrastructure, with file systems, storage, archives and disaster recovery distributed over multiple sites and maybe several countries. On top of it you certainly have built data discovery technology such as RSA Data Loss Prevention (DLP) Suite to locate on a regular basis sensitive data and data that is governed by specific policies or regulations (i.e, PCI, European Privacy Act, etc.). Finally you add DLP components at the network and desktop level to enforce DLP policies across your environment.

With cloud storage, you can build content awareness directly into your storage infrastructure and have your DLP policies directly enforced by your cloud storage. You can set up policies, for instance, to prevent sensitive data from being stored on an external cloud storage infrastructure or to ensure that employee information is only stored on infrastructure located in the same country as the employee. These policies can now directly be referenced and enforced by the cloud storage infrastructure at the time it handles data, greatly simplifying data management and giving sleep back to deserving IT architects.

EMC’s cloud and security divisions jointly demonstrated this concept earlier this year by integrating EMC Atmos cloud optimized storage with the RSA DLP suite.

These are just two examples of how cloud and virtualization represent a once-in-a-lifetime opportunity to change the way we implement security. There are more examples highlighted on the VMware Security Blog describing how RSA and VMware are collaborating to embed security in the virtual infrastructure. Let’s get the discussion going, but more importantly, let’s act and continue to demonstrate and prove how embedding security into virtual and cloud infrastructures will bring about new levels of security control that we cannot get by bolting security onto infrastructures that are inherently not secure.

About the Author: Eric Baize

Throughout his career, Eric Baize has been passionate about building security and privacy into systems and technology from design to deployment. He currently leads Dell EMC’s Product Security Office and serves as Chairman of SAFECode, an industry-led non-profit organization dedicated to advancing software and supply chain security best practices. At Dell EMC, Eric leads the team that sets the standards and practices for all aspects of product security for the product portfolio: Vulnerability response, secure development, consistent security architecture, and code integrity. Eric joined Dell through its combination with EMC where he built EMC’s highly successful product security program from the ground up and was a founding member of the leadership team that drove EMC’s acquisition of RSA Security in 2006. He later led RSA’s strategy for cloud and virtualization. Prior to joining EMC in 2002, Eric held various positions for Groupe Bull in Europe and in the US. Eric has been a member of the SAFECode Board of Directors since the organization was founded in 2007 and also serves on the BSIMM Board of Advisors. He holds multiple U.S. patents, has authored international security standards, is a regular speaker at industry conferences and has been quoted in leading print and online news media. Eric holds a Masters of Engineering degree in Computer Science from Ecole Nationale Supérieure des Télécommunications de Bretagne, France and is a Certified Information Security Manager. Follow Eric Baize on Twitter: @ericbaize
Topics in this article